Page 65 - Cyber Defense eMagazine June 2020 Edition
P. 65

Lifting Physical Security Measures to the Cloud Is a Failed Strategy

            Consider the days when on-premise datacenters were full of physical servers. To verify the security state
            of those machines, administrators had two options: run code on each via a software agent, or scan every
            system from the network to look for vulnerabilities, misconfigurations, and other risks. When businesses
            began to move their workloads to the cloud, these same security technologies were merely lifted and
            shifted.

            Organizations ended up having both an agent – the same agent from the on-prem days bolted on to the
            cloud  –  as  well  as  the  same  scanners.  But  those  tools  weren’t  reimagined  to  support  the  unique
            characteristics of cloud computing, thus the limitations of agents and scanners were magnified on the
            new platform.

            While agents can see everything that happens, they have to be installed on every machine to be scanned.
            This simply isn’t practical in a cloud environment that uses ephemeral servers, containers, and serverless
            workloads that burst into existence for a short time and then disappear just as quickly. No human—and
            perhaps not even automation tools—can keep track of software agents and ensure they’re consistently
            installed in such a dynamic environment. What’s more, the high cost and complexity of agent deployment
            and maintenance, as well as friction with DevOps teams, make agent-based scanning totally unsuitable
            for the cloud.

            As for network scanners—which are essentially whitelisted hacking tools—visibility is critically limited to
            just those assets that are already known and accessible. Moreover, scans put data integrity at risk, use
            significant system resources during test procedures, and completely miss some assets and risks because
            they simply aren’t visible or accessible.



            New Tools Address (Some) Cloud Security Needs


            With legacy security tools leaving gaps, new cloud-native tools attempt to fill the need to assess risk in
            cloud estates. For example, Cloud Security Posture Managers (CSPMs) verify that cloud configurations
            are following security best practices and compliance standards such as the CIS framework, Azure and
            GCP benchmarks, and PCI DSS or HIPAA guidelines. While CSPMs do look at configurations unique to
            cloud environments, at best they provide shallow coverage because they don’t go inside machines, but
            rather view them from the outside.

            Cloud platform hosts provide a number of security tools exclusive to their own environments. Amazon,
            Google, and Microsoft all offer tools/services to detect threats, analyze application security, investigate
            potential security issues, discover unprotected keys and sensitive data, identify non-compliance with
            security frameworks and regulations, and more. Third-party vendors also provide tools—many of them
            retreads from the on-premise environment—in each of these areas.

            The key issue with such tools is that they only provide a partial view into your cloud estate’s risks and
            vulnerabilities. An organization must deploy multiple tools or services to get the full picture, and even
            then it’s not a holistic view. Each tool performs its own vulnerability detection and getting them all to
            communicate with one another and provide clear context regarding each finding is nearly impossible.




            Cyber Defense eMagazine –June 2020 Edition                                                                                                                                                                                                                         65
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.
   60   61   62   63   64   65   66   67   68   69   70